Search

Subscribe

Bomb Threats As a Denial-of-Service Attack

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom -- one of the threatened buildings is the 42-story Cathedral of Learning -- finds nothing, and eventually resumes classes. This seems to be nothing more than a very effective denial-of-service attack.

The University is implementing some pretty annoying security theater in response:

To enter secured buildings, we all will need to present a University of Pittsburgh ID card. It is important to understand that book bags, backpacks and packages will not be allowed. There will be single entrances to buildings so there will be longer waiting times to get into the buildings. In addition, non-University of Pittsburgh residents will not be allowed in the residence halls.

I can't see how this will help, but what else can the University do? Their incentives are such that they're stuck overreacting. If they ignore the threats and they're wrong, people will be fired. If they overreact to the threats and they're wrong, they'll be forgiven. There's no incentive to do an actual cost-benefit analysis of the security measures.

For the attacker, though, the cost-benefit payoff is enormous. E-mails are cheap, and the response they induce is very expensive.

If you have any information about the bomb threatener, contact the FBI. There's a $50,000 reward waiting for you. For the university, paying that would be a bargain.

Comments

But the administration is only "stuck" because of the community's inability to understand risk. That's an especially damning indictment from what is supposed to be an educational institution. The university has seized this "teachable moment" and instead of teaching sanity teaches fear simply because that's the route of least resistance. I can understand that at the mall or even the airlines, even if I don't agree with it. But I think it's disgusting that an educational institution, when the chips are down, abandons its mission and instead cries like a little child to the FBI.

I gather from conversations at another university (during an evacuation) that this is also the time of year for increased fire alarms. Need another week to revise for an exam? Or an opportunity to look up exam answers having seen the questions? An emergency building evacuation can provide the opportunity.

While there is definitely some security theater here I don't think it is quite fair to compare this to the TSA. In this case there is known to be a person with physical access to the university buildings, who is likely enjoying this attention, and who might do something very dangerous if the University stopped treating these threats as serious. The danger here is not that the University might be embarrassed, the danger is that this already not-so-stable person might choose to do more than threaten and start killing people. Checking backpacks might be security theater, but bringing in the FBI to catch this guy is not.

Also, keep in mind that in March a shooter walked into Western Psych (which is across the street from Pitt) and shot 7 people.

There was a similar situation in England with the IRA back in 1997 where they were making constant bomb threats on the motorways. The first few caused chaos but after a while the police changed tactics to avoid disruption while still investigating the threat. The IRA saw that this was not having much effect anymore and stops making bomb threats.

Bit of digging through the blog showed this means that they actually removed the doors to the restrooms where threats were found written. One would think that if there's enough privacy to use a restroom, there'd be enough to write something on the wall...

In response to this post I had a quick look for research on the effectiveness of bomb-threat classification systems, which are one of the reasons that the White House isn't evacuated every 20 minutes. I was surprised (but probably shouldn't have been) to find very little. I imagine that such work is usually kept private, but perhaps I'm just using the wrong search terms. Does anyone know of any published work on the effectiveness of these systems?

When I was a student at Penn State's University Park campus circa 1969, there was a rash of phoned-in bomb threats that sound similar to the ones at Pitt. After responding to several with building evacuations and searches, which produced nothing, the University would just post signs at the entrances to the affected buildings that said something like, "We've received a threat that there's a bomb in this building that will explode at 2:00 PM. Classes will not be cancelled. Make your own choices.", and life returned to normal. But that was 1969.

Way back in the mid 80's this happened at a local community college I was attending, right around final exam time too. School was evacuated, classes disrupted, etc. It was finally decided (and announced) that if a bomb theat came in that it would be investigated but the school would not be initially evacuated. End of story

When I went to Penn State (briefly for a total of a few hours over a period of a year), they had the highest security I'd seen at a University - bathroom locks were controlled, single entrances with guards, inspection of all bags, etc.

Each one wants something done about something they understand little and will always feel that they are getting incomplete data. Trying to educate them all would seem to be a power law problem. [The more people needing to educate the more time it takes.]

Also

If they ignore the threats and they're wrong, people will be fired. If
they overreact to the threats and they're wrong, they'll be forgiven.

If they are wrong people will get hurt or die. Especially if they are dealing with someone whose need for attention pushes them to implementing the bombs when the university no longer budges.

If they over-react they not only are forgiven, but rewarded from parents, community and funding agencies.

@Saocore: Maybe forcing the perpetrator to step it up could actually help the situation -- if he has to go out and try to make a bomb that's much more likely to get caught by investigation than his anonymous re-mailing. Chances are that if he's gone this long without getting caught he never will unless he changes tack.

Pretty much every college or university I have been to has had large herds of students leaving the building near the top of the hour as all the classes let out and people needed to go to another building.

I would like to point out these started AFTER a majority of the students midterm exams took place. And finals are not for two weeks. It would be incredibly short sighted not to mention a TON of work to cover your trail leaving all these bomb threats when you could just, you know, study or finish your work. This goes deeper or crazier than some students not wanting to accomplish work. Perhaps some of the copycats sure, but at this point it is a psychopath trying to either shut down the school, make a mockery of the police and intelligence agencies, or really is planning a follow through attack (though the anxiety is bad enough really.) It also is nerve wracking for students because this comes around the anniversary of other school shootings, which similarly underwent bomb threats prior to the occurrence (Virginia Tech.) AND to compound all these, nary a month or so ago did a crazy former patient at Western Psych (which is directly on campus) opened gunfire and caused the area to go on lockdown too. Many of my friends and colleagues frequent there for research, work, etc. so leftover anxiety still looms from that incident.

So I understand the desire to use more rational thought and risk analysis, but I also want to point out, this is not just a Pitt administration decision. The FBI, Joint Terrorism Task Force, and Secret Service are here, aiding in these decisions and regularly deal with a multitude of credible and noncredible threats each day (think about the President for example.) They may or may not be doing more analyzing than we think. After all, we do not know the content or intelligence they have on all these threats yet.

I'm a student here at Pitt and I'm glad Bruce picked up on this story.

We're up to 78 threats as of this afternoon, and it's pretty obvious that the police have started doing more cursory searches. They have to: there were threats to 8 dormitories last night alone.

The building security measures are indeed security theater. Searches are not thorough at all, and some entrances or buildings aren't even covered. It's mostly a PR move the satisfy parents and prospective students.

Unless the person making these threats makes some sort of mistake, this probably isn't going to stop. As Bruce says, the University doesn't seem to have the option to start ignoring the threats.

I agree that this is just some angry (or possibly lulz-y) guy doing a real-life denial of service attack on an organization that doesn't know how to tell whether a threat is credible.

The fact that the threats began on the bathroom walls on campus at least indicates that the guy is physically present, though, which makes it more credible than if he wasn't. However, the college is still choosing the wrong option.

I posted an almost identical article about this on my own blog (which I created specifically to post about this) a few days ago. Linked in the signature.

My personal guess is that he's doing it for the lulz and is a student himself.

Above all it's worth noting that these threats are *not* attempts to get out of exams or spring fever or anything of the sort. A large number of the threats made in the past week have been on dormitories at 4AM, several nights in a row. Someone is pulling an elaborate, malicious prank. Assuming it's all one perpetrator, he also targeted a school for the blind earlier today. This is someone with serious psychological issues.

Would it not be possible for the administration to say, "Hey we think this guy is crying wolf and we're calling his bluff." And leave it up to the students and faculty whether or not they want to rid out that particular threat.

Let's look at this from this perspective...
Note this isn't a full ROI calculation, and if you REALLY pick it apart, yes there are some flaws in this, but this only a high level analysis as a discussion point.

Mitigation: None (INACTIVE)
Likelyhood of bomb entering building: High (for sake of argument, assuming threats are credible)
Upfront Cost: None
Risk to human life if there is a bomb: High
End Cost if bomb explodes: Can't put a price tag on human life, University reputation forever destroyed
Final Risk Factor: High

Mitigation: Canceling classes due to bomb threats (REACTIVE)
Likelyhood of bomb entering building: High (for sake of argument, assuming threats are credible)
Upfront Cost: High - Lost class time, rescheduling of examinations, lost study time, etc
Risk to human life if there is a bomb: Medium - deaths could occur during evacuation
End cost if bomb explodes: Can't put a price tag on human life, but University did REACT, so reputation hit not as severe
Final Risk Factor: Medium High

Mitigation: Increased security, including bag checks, etc. (PROACTIVE)
Likelyhood of bomb entering building: Low (for sake of argument, assuming threats are credible) - bomb would most likely be found before activation
Upfront Cost: Medium - Need to pay for additional security guards, etc.
Risk to human life if there is a bomb: High - building assumed safe, if bomb slipped through anyone inside will be at risk
End cost if bomb explodes: Can't put a price tag on human life, but University was PROACTIVE, so reputation hit not as severe
Final Risk Factor: Medium

From a security perspective, they're implementing the appropriate risk mitigation to lower the total risk, and also minimizing the costs of implementing this mitigation.

While bomb threats seem to be quite common, and while there is still the occasional real bomb here and there in the US, or the EU -- I do not remember a single event where an armed bomb was found after a bomb thread to a public building (not counting extortion or other profit-oriented crime). Is this a misconception, or are these cases really so rare these days, which would mean that a bomb threat is a good indicator for the absence of real bombs?

@MS "Thorough inspection of students entering secured buildings would make sense if it were a prelude to a decision not to evacuate a secured building in response to a threat."

This.

If they're implementing searches /and/ evacuating for every threat; thyr doin it rong.

Either they believe the searches are worthwhile and effective in which case any further threats are (or most probably are) hoaxes and can be ignored (with reasonable confidence), or they know they're just window dressing wasting everybodies time and money.

@Gweihir "The significant reward is a pretty good idea. Usually these cretins cannot help bragging."

They could make the reward suimultaneaously both more valuable (to the recipient) and less expensive (to the school) by making it something akin to "we'll pay all your tuition fees while you remain a student of this institution for information leading to ..."

This is different from tripping the fire alarm in High School before the period when you had a Math test, How?

OK, modern schools have cameras and you can't trip the fire alarm without being caught. Back in the olden days kids used pens to trip the alarm, in fear of fingerprint detection. It's a classic example of countermeasure cost.

Trip Alarm leads to investigation (cost to local government &gt&gt effort for student)

Frequent Alarms leads to more surveillance (cost to local government is high) leads to phone threats. Cost for student to change tactic &lt&lt cost of surveillance.

Back in the day some telephonic malefactor was shutting down one of our fabs with daily bomb threats. When a threat was received in the mid-afternoon the predictable effect of the company's standard response was to provide employees an extra long break and then dismiss them for the day with pay. Needless to say no device was ever found, not that you'd need much more than a blasting cap in the right place to conflagrate the usual semi-conductor manufactory. When the fab manager announced the next evacuation would compromise the week's production another response was implemented. The threat was described on the public address system inside the fab, staff members were asked to inspect their work area for any unusual or unexpected items, no suspicious suspicious package were found, and work resumed. The threats stopped.

The problem is that you don't know what the actual risks are. This is the problem with applying what is in fact an engineering perspective to a social problem. All the administration knows is the imagined risks. Applying logic to dreams is a fool's errands after all.

@AntoinetteMarie This solution just makes the problem worse. All it does is give the perp what he wants, attention and a feeling of self-importance. Look how powerful he is with all this heat on his neck.

If they were to just ignore him one of two things will happen. Either he will go away and seek attention elsewhere or he will escalate to an actual attack. The second option almost never happens. People who are actually interested in killing almost never telegraph their moves so as to maintain the critical element of surprise. (Witness VA Tech.)

So at the end of the day calling in the FBI can achieve nothing positive. It just feeds the beast.

@Jon - the reward you suggest would be worthless to anyone who's not a student of the school. If the person behind the threats boasted about them to any of the 280,000 or so residents of Pittsburgh who are not students of UPitt, they'd be relying purely on the person's better instincts.

Well, seriously, this is an insider threat from a member of the campus community. I am inclined to favor it being a staff member or a faculty member with closer ties than usual to the campus community. They also seem to know the campus really well, which again favors staff. I hope that the University IT team is involved up to its collective necks in the investigation. The adversary is almost certainly an avid reader of http://stopthepittbombthreats.blogspot.com and has probably posted comments there. Linguistic analysis could be very revealing.

while i was a student at USC (Los Angeles) in the 60's, my chemistry class was evidently the cause of a weekly bomb scare, given that this was the only class in the building that had a weekly quiz on Fridays. Problem went away when the professor announced that next time, everyone would gather on the lawn outside and take the quiz despite the bomb scare.

It's odd that some people have commented that sending in the FBI was wrong: the function of a University is not to defend itself against potentially armed threats, that's the job of the security services who have significantly more training and experience.

This sounds very much like the work of a single disturbed individual (and it's April/May time, which is no coincidence re mental health). If you compare against, say, the IRA - they'd make a credible warning in advance and there *would* be a bomb so they could have continued their strategy indefinitely. In this situation, the perpetrator will get caught sooner or later and the threats will diminish in credibility rather quickly.

In the mean time, the University could easily adapt its current strategy to be more effective. If they perform a full search of all the major buildings and enforce their ingress point searches to be consistent then they can state with a high level of assurance that those buildings are not going to be under threat (it's not a fantastical movie plot, simple measures will prevent most attacks). The perpetrator can adapt to target the smaller buildings, but the disturbance is minimized.

Depending on their tolerance level they could potentially also temporarily implement:

- checking for gsm transmissions in the buildings at night when empty (many bombs these days use a mobile as a trigger);

- enforce a policy of clear plastic bags for carrying all belongings on campus;

- adapt their evacuation plans to avoid concentrating people in one place;

- revise/prohibit car use/parking on the site;

- walk sniffer dogs through the campus;

- remove all general refuse bins and require students to take their rubbish home (major train stations in the UK have that policy);

and such like.

The additional measures would only slightly mitigate prevailing risk, but they are fairly cost effective measures until the FBI/Police find the perpetrator and allow the University some breathing space/options as regards evacuation.

As a noob... Aren't most of you assuming that this is a single bad apple? Isn't it just as likely that this a whole group of people who have seen that an anonymous bomb threat will get them out of class and are just copy catting off of the original?

The fact that the threats are now coming through email (although using anonymous remailers) may help - over the past several years we have seen that the police are getting much more effective tracing people over the internet.

I feel sorry for you. You are loosing big time. You're loosing your money, your time and your liberty. You should either abandon the pathetic institution and choose a better one (good luck!), or try to change it. But I am afraid there's only one way to do the latter in these crazy times.

I am sure there are a couple dozens of really smart people among you that can do a feat without getting caught (the threatener possibly belongs to this subset, too). What you need to do is to create, subvert or hire a botnet to send a few bomb threats *per minute*.

Bruce correctly deduces that university administration's actions come from their fear of being fired for inaction in case of a real bomb. In face of a minutely threats, they would have to shut down the university completely, including their own offices, effectively firing themselves. So they would have to choose between a 100% sure unemployment if they continue their practice and a slight chance of it if they ignore further threats. Case closed.

One thing that I noticed about the threats, was that the "target" buildings started including ones that I'd never heard of (I work in the east end of Pittsburgh, but not at Pitt/UPMC). That means that the person(s) doing this are actually familiar with the vast amount of properties owned by Pitt, including (what I'm assuming are) the lesser known fringe residential buildings.

I really feel sorry for the students. They are the losers in this, on all sides.

I'm surprised the tactic hasn't been used more widely (or is it and we're not hearing correlation studies)

In the 90s a bomb threat was called into the ATC on Long Island, they evacuated the building. This affected traffic in and out of, oh nothing, La Guardia, JFK and Newark airports backing traffic up and down the coast and points west. Pretty good pay off for a 20 cent call.

The Cathedral of Learning has once again received a bomb threat, and evacuations began at 6:38PM. An ENS alert was sent out at 6:46PM. This marks the first threat of the Cathedral since increased security measures were put into place, so we will see these new measures play into the clearing of the building.

Bomb threats have spread to other schools in the Pittsburgh area, leading officials at the Community College of Allegheny County to put in new security measures, reports The Pittsburgh Post Gazette. Threats were also received at The Western Pennsylvania School for the Blind in Pittsburgh, Point Park University and California University of Pennsylvania.

For all the "Monday Morning Quarterbacks", Pitt does not have exactly a "campus" per se. The buildings are embedded in a matrix of non-university buildings in downtown Oakland.
Several buildings. like the Cathedral of Learning, are popular tourist attractions, and several non-Pitt tourist attractions are close by. Not to mention the major roads through the area. Not exactly conducive to "sealing off the campus".

This is Yet Another Reason to move to a distributed online system of Distance Learning.
Distance Learning yet lacks an established method of Certification of Achievement, while it needs to ensure that the person so Certified actually did the work and took the tests!
It will be Very Good to not have to herd together in specific places, pay those exorbitant prices for lodging, food, and instruction, and expose oneself to such random threats as have manifested themselves in recent years...!

The real issue is that they have been repeatedly threatening the freshmen and sophomore dorms at 4 AM night after night, which has caused mass exodus of students who are sick of not being able to sleep the night due to fire alarms and evacuations, and who rile each other up even farther because they start rumors and talk about how scared they are of a shooting, which feeds into more parent and student anxieties. Plenty of people are willing to put up with the interruptions for the sake of calming students down, but at this point the person has chosen to focus on emptying the dorms and making a normal end to the semester impossible.

The DDoS on the campus will hopefully end in a week or two when the semester ends, but if they continue, it represents another huge loss of business for the university: summer programs, conferences, K-12 camps, tourism, student visits, all get affected as well, and while many of us are willing to keep calm and carry on, how do you convince a prospective student to join the insanity? The good news is that it's brought a lot of people together, but the bad news is that no one seems any closer to finding the perpetrator and the university can't function normally with or without the security theater, and the only saving grace is that this person hasn't touched the connected hospital system, even though he's forced several transplant patient evacuations from a recovery unit on campus. If this jerk, who certainly seems like a current or former undergraduate with a grudge and a mental condition, knew what he was doing, things would get even more insane very quickly and risk a lot of lives.

Since 9/11 the classic "bomb threat" should be tossed out in the same bin as the "hijacking to Cuba". For some inane reason "terrorist" groups (usually of the 1960's counter culture kind) used to actually phone in their bombing targets ahead of time which lead to the now typical "evacuate the building" response to the threat. Today real terrorist groups don't bother with this sort of pantomime and simply detonate their devices without any warning for maximum impact. Frequently the bombs aren't even planted, simply strapped to some sort of human guidance system.

Long story short any "bomb threat" that takes the form of "there's a bomb in your building, ha ha ha" should be ignored as a Discredited Trope.

Why are people surprised the perp hasn't been caught? If I was doing this I would use a free disposable mail service or something like tormail, connect via the TOR net from a public wifi and and send the mail, do you think they would really catch a person like that?

@Mike B: there's two incredibly good reasons to phone in bomb warnings, somewhat overlapping: so that you don't kill civilians, and so that you _do_ kill "agents of the state" - suck in police and soldiers with a credible threat, then detonate a secondary device planted where they set up to deal with the first. The PIRA used bomb warnings for these precise reasons; see https://en.wikipedia.org/wiki/1996_Docklands_bombing for an attempted example of the "not kill civilians" variation.

This is the "two bomb" or "two warning" scenario you place a small decoy bomb in a shopping center or other area and call in a warning which is non specific about location or number of bombs. The first bomb then exploades ten or twenty minutes after that, timed to happen shortly after the authorities arive.

Your primary bomb packed in a car, van, lorry or other large volume easily moved object is packed with "shrapnel" like the Claymore Mine from Hell aimed across the "evacuation area".

Very shortly after the decoy bomb exploads you call in a second warning about a bomb in another location close to the first. This causes the authorities to effectivly panic and thus pack more people into the evacuation area. Your primary bomb is timed to explode five or ten minutes after this second warning.

The result is carnage far worse than could have been obtained by just detonating the large bomb on it's own.

The effects of a large bomb even without additional shrapnel detonating close to an evacuation point can be seen from the numbers of dead and injured by a single large bomb placed in the wrong place by the Real IRA in Omagh and incorrect location warnings given,

This sort of multiple bomb/warning scenario is a compleate nightmare for security services because there is little or nothing they can do to mitigate it. It was described to me by one security specialist as being the equivalent of "The beaters driving the pheasant to the guns". It is also a tactic used by the military to drive the enemy into a "chosen killing ground" when ambushing them, a tactic not unknown to those who have read "The Art of War".